Hello,
For a project I'm assisting with I need to open the $MFT (the actual file) and calculate its MD5.
Windows does acknowledge its existence (i.e. Create file to \\.\c:\$mft works) but any attempt to read from it returns Access denied error.
tried a different approach with FSCTL_GET_RETRIEVAL_POINTERS, the call works but I couldn't find any code example on how to go over the file one cluster a time.An NTFS Parser Lib[^] is a great project that can actually do what I want but it uses a GPL licence so I can't take code directly off it.
plus i think using it might be somewhat of an overkill anyway.
Any info would be welcomed.
Thanks.

1 solution

Solution 1

You will need to open the HDD (or better yet, just the partition) with direct access, then write your own file system library. You were pretty much doing this. Just use "\\\\.\\C:"

The good news is that this is not as hard as it sounds.

I would STRONGLY reccommend getting a hex editor. I use the excellent Breakpoint Hex Workshop[^] but it is not free. Try searching around for 1 that can open HDDs.

I would recommend that you get a basic understanding of the FAT filesystem first. Although the idea of NTFS is remarkably different the implementation of core features is almost identical for accessing the $FILEs such as $MFT.

There is a website http://www.ntfs.com/[^] which I used for helping my understanding of the NTFS filesystem, although I already knew the FAT filesystem.

In addition. You can read parts of the NTFS Parser Lib that you mentioned, there is no harm in that, you just can't copy code from it.